I am in the process of converting an old legacy setup to Wix. I prefer to
use the APIs provided by the Wix toolset, rather than importing std
namespace, and in this case working with sensitive data I am looking for
advice on how to do this in a secure manner.
The old code uses std::tstring populated with sensitive data and then it
does this to populate a BYTE array for a Win32 function call:
tstring szData = ......;
......
BYTE *pbDataInput = (BYTE *) szData.c_str();
DWORD cbDataInput = (DWORD) (szData.size() * sizeof(wchar_t));
For my new CA the sensitive string is Unicode from a 'hidden' MsiProperty.
LPWSTR pwzSensitive = NULL;
hr = WcaGetProperty(L"PROP", &pwzSensitive);
ExitOnFailure(hr, "failed to resolve PROP");
...Tried StrAllocStringSecure (however did not compile) and
StrAllocHexDecode (compiles but not expected result). Looked at using
memcpy.... The string may include any Unicode language group.
... Looking for advice on how to approach this.
LExit:
hr = StrSecureZeroString(pwzSensitive);
//ExitOnFailure(hr, "failed to zero and free a buffer.");
// Since StrSecureZeroString is called after LExit, not sure if also
calling ExitOnFailure is wise - needs more research
Any suggestions would be appreciated. I have spent so much time over the
last few mounts working on the mba, and finding ways to avoid writing CAs,
that my C++ skills are withering on the vine. The C# SecureString support
was very helpful in the mba. Thanks for the help!
--
View this message in context:
http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/C-CA-using-Wca-and-StrUtil-for-secure-data-tp7600677.html
Sent from the wix-users mailing list archive at Nabble.com.
------------------------------------------------------------------------------
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
